Cyber and Privacy Public Policy Digest
Even as the historically inactive 113th Congress winds down its legislating in the run up to the November elections, the pace of technological change is presenting a myriad of challenges to policy makers. Issues ranging from the regulation of data brokers, to the continued fallout from Edward Snowden, to the worldwide implications of European judicial decisions will all shape how governments, companies, and individuals interact in increasingly interconnected world.
While sweeping laws and regulatory regimes are difficult, and the Congress seems to be stuck in neutral in confronting many technological challenges, the foundation for future policies is being made now. With so much news breaking over an ever increasing array of platforms it is a challenge to differentiate between what’s important and what’s political theater. The policy making in privacy and cyber-security is dynamic, evolving, and not bound by the simple orthodoxies of left vs. right, or Republican vs. Democrat. The aim of this bulletin is to give you an overview of what happened in the past week, where policies are heading, and what might be important as policy makers try to make regulatory sense out of a rapidly changing world.
The House Passes Commerce-State-Justice Appropriations
At around 1AM early Friday morning the House passed the FY2015 Commerce-State-Justice Appropriations 321-87. This year’s C-J-S bill will be Rep. Frank Wolf’s (R-VA) last as a member of Congress. During his time on the Appropriations Committee, Rep. Wolf has become one of Congress’s leaders on cyber-security and has been sounding the alarm bells on Chinese and Russian hacking for years. This year’s bill contains funding for the creation of national “cyber centers of excellence” and language encouraging the Commerce Department to create a central data base of breaches, with a focus on the retail sector. The legislation also funds the FBI, and many members took the chance during speeches to laud the Bureau’s recent indictment of Chinese hackers. As with all appropriations bills, this one came to the floor under a rule which allowed for a multitude of amendments by members. Included among the amendments that passed was one authored by Rep. James Langevin (D-RI) that asks the Commerce Department’s Bureau of Industry and Security to conduct a survey of a survey of private sector on its adoption of the much discussed NIST Framework.
A bipartisan amendment authored by Reps. Doyle and Murphy of Pennsylvania was offered and withdrawn. Their amendment would have required the Department of Commerce and the U.S. Trade Representative to report to Congress on whether they have the ability to sanction foreign companies who benefit from cyber-espionage. Offering and withdrawing amendments is often used by members as a way to highlight policy problems to the Administration without tying the hands of the bureaucracy. Look for this issue to rear its head once more as the Congressmen, and their allies, continue to press the Administration for policy changes and to prod them for action.
Homeland Security Appropriations
The House Homeland Security Appropriations Subcommittee marked up their FY2015 legislation. It calls for a $745.5 million cyber-security appropriation for the year, largely in line with the request of the Obama Administration. The overall DHS bill funds the Department at $39.2 billion. Included within the cyber portion of the bill is funding for the National Protection and Programs Directorate and $171 million for federal network security.
FTC Releases Long Awaited Data Broker Report
On Tuesday the, Federal Trade Commission released their long awaited report on the data broker industry (link to report) The report greatly expands on the findings of an earlier report by the Senate Commerce Committee and takes a hard look at the various policy implications of the industry and recommendations for crafting future regulations. The FTC’s report delves into the mechanics of data collection, how the data is sorted, and the real world implications of how a company’s selective use of data might impact consumers over the course of years. For instance, the FTC points out that a motorcycle enthusiast might have their data used as a way to get discounts and news about bike products, but the same data might be used to increase their insurance premiums.
Yet the report didn’t uncover anything necessarily illegal, instead it found an industry that is quietly, but fundamentally, impacting the lives of American consumers in profound ways. The Commission recommended that Congress create legislative protections for consumers such as:
- A centralized system where consumers can opt out of some forms of collection
- Requirements that data brokers provide consumers access to the data collected on them
- Notice from consumer-facing web sites about what data is being collected and who it might be shared with
- Greater protections for sensitive, personal identifiable data
- Create ways for consumers to correct their data
So what now? With Congressional legislative days quickly winding down, the chances for legislative action this year are very slim. Senate Commerce Committee Chairman Jay Rockefeller set out an ambitious goal last year of crafting data broker legislation before he retires at the end of this Congress. In the House, former Energy and Commerce Chairman Joe Barton has been a consistent advocate for regulation of the data broker industry, but outside of an ongoing bipartisan working group of the E&C Committee, there has been little energy behind any comprehensive effort. This year, seems more likely to produce messages about data brokers than legislation. However, this year’s message bills could easily become next year’s legislation as the public becomes more aware of how the collection and dissemination of their personal data impacts their lives.
The White House
President Obama gave the commencement address to the West Point cadets and in it he outlined his vision for an American foreign policy. In the speech the President specifically addressed cyber-security stating, “Keep in mind, not all international norms relate directly to armed conflict. We have a serious problem with cyber-attacks, which is why we’re working to shape and enforce rules of the road to secure our networks and our citizens.”
The European Union
Google Creates “Right to be Forgotten” Form
In somewhat of a surprise, Google announced on Friday that they would comply with a sweeping decision by the European Court of Justice which mandated that the search engine provide European users a way to take down potentially embarrassing or outdated information. The Court’s decision to validate a so-called “right to be forgotten” has reverberated throughout the technology community and seems poised to further divide philosophies on privacy, data collection, and innovation.
In meeting its new European obligations, Google will deploy a relatively low-tech response. Instead of using algorithms and predictive data, the world’s largest search engine will ask users to fill out an online form where the URL of the offending material, the home country of the user, and an explanation of why the link should be removed. From there, a group of humans (not automated bots) will make final decisions on delinking. If Google cannot make a decision, or decides against a petitioner, then there would be an appeal process to data protection authority in the home country of the complainant. Country data protection authorities expect a deluge of requests in the wake of the ruling and it is anyone’s guess whether the legal and regulatory architecture is in place to meet the demand.
Larry Page Responds to ECJ Ruling in the Financial Times
In a wide ranging interview with the Financial Times, Google CEO Larry Page gave voice to the frustration many technologists feel and how Google intends to respond to its new European responsibilities. Mr. Page’s response to the ECJ largely mirrors many of the criticisms brought by journalists, that the ruling itself could undermine democracy as public figures and politicians seek to delink unflattering information from voters, investors, or consumers. In the two weeks since the ruling, Mr. Page stated Google already received “a few thousand” such requests and that many of those requests came from public figures, “Certainly I worry about the effect that might have on democracy over time if we don’t do this perfectly.”
He also added that limiting information could manifest itself in ways that are not yet known, stifling innovation, and curbing the ability of new companies to enter the European marketplace. To that end, Mr. Page said that Google will redouble its efforts in Europe to engage in regulation and undertake a change in corporate culture to bridge the gaps between its American roots and European presence. “We’re trying now to be more European and think about it (privacy) maybe from a more European context…I wish we’d been more involved in a real debate. That’s one of the things we’ve taken from this, we’re starting the process of really going and talking to people.”
House- not in session
Tuesday, June 3- Senate Commerce, Justice, State Appropriations Mark-up
Wednesday, June 4- Senate Commerce Committee, Subcommittee on Privacy and Technology, “The Location Privacy Protection Act of 2014.”
Thursday, June 5- Full committee markup of the FY2015 Commerce, Justice, and Science, and Related Agencies; and Transportation, Housing and Urban Development, and Related Agencies Appropriations bills.
Senate (Select) Intelligence Committee – Hearing Full committee hearing on “Foreign Intelligence Surveillance Act (FISA) Reforms.”
Tuesday, June 3- 1:00 pm Commerce Department (DOC); National Telecommunications and Information Administration (NTIA) (F.R. Page 73502) – Meeting Commerce Department (DOC); National Telecommunications and Information Administration (NTIA) (F.R. Page 73502) holds a multistakeholder meeting to develop a consumer data privacy code of conduct concerning facial recognition technology.
Wednesday, June 4- 8:30am Commerce Department (DOC); National Institute of Standards and Technology (NIST) (F.R. Page 28484) – Meeting Commerce Department (DOC); National Institute of Standards and Technology (NIST) (F.R. Page 28484) holds a meeting of the Smart Grid Advisory Committee to discuss the updated NIST Framework and Roadmap for Smart Grid Interoperability Standards, updated guidelines for Smart Grid Cyber Security (NISTIR 7628), NIST Smart Grid Testbed activities, and interactions between Cyber-Physical Systems and Smart Grid.